A New Cryptocurrency-Mining Malware Is Spreading via Facebook Messenger

If you receive a video file packed in zip archive on your Facebook messenger, just don’t click on it. Researchers from security firm Trend Micro, discovered a new cryptocurrency-mining bot spreading through Facebook Messenger and targeting Google Chrome desktop users.

Dubbed Digmine, the Monero-cryptocurrency mining bot disguises as a non-embedded video file, under the name video_xxxx.zip, but is actually an AutoIt executable script that infects victims who attempt to run it.

According to the researchers, even though the Facebook Messenger works across different platforms, Digmine only affects Facebook Messenger’s desktop/web browser (Chrome) version. If the file is opened on other platforms (e.g., mobile), the malware will not work as intended.

If the user’s Facebook account is set to log in automatically, Digmine will manipulate Facebook Messenger in order to send a ‘video file’ link to the account owner’s friend list. Once clicked on that link, the malware infects victim’s computer and downloads its components and related configuration files from a remote command-and-control (C&C) server.

Digimine primarily installs a cryptocurrency miner, i.e. miner.exe—a modified version of an open-source Monero miner known as XMRig, which silently mines the Monero cryptocurrency in the background for hackers using the CPU power of the infected computers.

Besides the cryptocurrency miner, Digimine bot also installs a registry autostart mechanism and system infection marker, which will search and launch Chrome with a malicious browser extension that allows attackers to access the victims’ Facebook profile and spread the same malware file to their friends’ list via Messenger. If Chrome is already running, the malware will terminate and relaunch Chrome to ensure the extension is loaded.

“While extensions can only be loaded and hosted from the Chrome Web Store, the attackers bypassed this by launching Chrome (loaded with the malicious extension) via command line,” the blog post says.

The extension will also read its own configuration from the C&C server and instruct the extension to either proceed with logging in to Facebook or open a fake page that will play a video.

“The decoy website that plays the video also serves as part of their C&C structure. This site pretends to be a video streaming site but also holds a lot of the configurations for the malware’s components.”

First spotted in South Korea, the crypto jacking bot was spread across Azerbaijan, Philippines, Thailand, Ukraine, Venezuela, and Vietnam, demonstrating its potential to disperse elsewhere.

After being notified this issue to Facebook by Trend Micro, the social media giant promptly removed many of the Digmine-related links from its platform. In Facebook’s official statement, “We maintain a number of automated systems to help stop harmful links and files from appearing on Facebook and in Messenger. If we suspect your computer is infected with malware, we will provide you with a free anti-virus scan from our trusted partners.”

Links associated with Digmine were removed from Facebook, but it doesn’t stop hackers from manipulating the existing links to continue preying on Facebook users. In addition, since the miner is controlled from a C&C server, the attackers behind Digiminer can upgrade their malware to add different functionalities overnight.

“A known modus operandi of cryptocurrency-mining botnets, and particularly for Digmine is to stay in the victim’s system for as long as possible. It also wants to infect as many machines as possible, as this translates to an increased hashrate and potentially more cybercriminal income,” the blog post noted.

The recent surge in cryptocurrency prices has been making investors employ unethical methods to try and capitalize on it. So, users are advised to be vigilant when clicking on suspecting links and files provided via the social media sites or any other platforms.